From 858069eb28f440d5fb8658f1c3903e078ac42b92 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Fri, 12 May 2017 18:33:23 +0200

Subject: [PATCH] evaluate: Avoid undefined behaviour in concat_subtype_id()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360789

Upstream Status: nftables commit 83e52f7a7f5ea

commit 83e52f7a7f5eaa893e146d23ff2e9292179f9485

Author: Phil Sutter <phil@nwl.cc>

Date:   Tue Aug 30 19:39:52 2016 +0200

    evaluate: Avoid undefined behaviour in concat_subtype_id()

    For the left side of a concat expression, dtype is NULL and therefore

    off is 0. In that case the code expects to get a datatype of

    TYPE_INVALID, but this is fragile as the output of concat_subtype_id()

    is undefined for n > 32 / TYPE_BITS.

    To fix this, call datatype_lookup() directly passing the expected

    TYPE_INVALID as argument if off is 0.

    Signed-off-by: Phil Sutter <phil@nwl.cc>

    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

---

 src/evaluate.c | 5 ++++-

 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c

index 680eda0..20584b7 100644

--- a/src/evaluate.c

+++ b/src/evaluate.c

@@ -965,7 +965,10 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)

 						 "expressions",

 						 i->dtype->name);

-		tmp = concat_subtype_lookup(type, --off);

+		if (dtype == NULL)

+			tmp = datatype_lookup(TYPE_INVALID);

+		else

+			tmp = concat_subtype_lookup(type, --off);

 		expr_set_context(&ctx->ectx, tmp, tmp->size);

 		if (list_member_evaluate(ctx, &i) < 0)

-- 

1.8.3.1